 |
Ensuring the safety of your customers' cardholder information can help your business strive to create and maintain a positive image, enhance customer confidence and even assist in improving your bottom line.
As part of Moneris' ongoing provision of credit and debit card processing services, we want to provide you with some critical information regarding the Payment Card Industry (PCI) Data Security Standard (DSS) and the Card Association Compliance Programs
It is important to note that all Merchants and Service Providers that store, process, or transmit cardholder data must comply with PCI DSS and the Card Association Compliance Programs. However, certification requirements vary by business and are contingent upon your "Merchant Level" or "Service Provider Level". Failure to comply with PCI DSS and the Card Association Compliance Programs may result in a Merchant being subject to fines, fees or assessments and/or termination of processing services.
The PCI DSS is enforced by the Card Associations (American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International). Moneris has taken the steps to provide our valued clients with necessary information and associated links to assist in assessing the actions your business should take to ensure that you are compliant.
About PCI DSS
PCI DSS is a global data security standard that was established by VISA International and MasterCard Worldwide in December 2004. PCI DSS was the result of the alignment of the data security standards included in the VISA International and MasterCard Worldwide data security programs. PCI DSS proceeded to be endorsed by American Express, Discover Financial Services, and JCB. In September 2006 the five major credit card payment networks announced the formation of an independent body, PCI Security Standards Council, to develop and maintain the evolution of PCI DSS.
PCI DSS was created to ensure the protection of cardholder data. Due to some high profile security breaches it became apparent that a global set of data security standards was required to assist merchants and service providers in meeting the requirements. Based on twelve principle requirements, PCI DSS requires merchants to make their physical and virtual environments secure to ensure protection of cardholder data. All merchants that accept credit cards as a form of payment, and all service providers involved in the processing of credit card transactions are required to be compliant with PCI DSS.
Twelve Principle Requirements of PCI DSS
PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.
Below are the twelve principle requirements of PCI DSS:
Card Association Compliance Programs
The Card Associations have each developed their own compliance program to ensure merchants and service providers are compliant with PCI DSS. Each program has specific validation requirements which must be followed for the Card Associations to recognize certification to PCI DSS. Some key differences in the programs include; validation levels, validation requirements, approved third party assessors.
Below is a list of the Card Association compliance programs:
Importance of PCI DSS Compliance and/or Certification
Moneris strongly endorses the need for more stringent standards regarding the handling of cardholder data. In addition, we are taking proactive measures to ensure that all merchants adopt these standards and maintain compliance on an on-going basis.
Compliance with the PCI DSS is mandatory. If you and your service providers are not compliant with PCI DSS, the Card Associations could levy fees and fines against you and your credit card processing services could be terminated. Your obligation to comply with the Card Associations' rules and regulations (including those related to security standards) is detailed in your agreement with Moneris.
Compliance means all requirements of the PCI DSS have been met. To become certified, an entity must engage the services of QSA to validate an entity’s compliance to PCI DSS. The QSA will work on identifying areas of non-compliance. The merchant must remedy each area of non-compliance. Once all areas of non-compliance have been addressed the QSA will re-evaluate and issue confirmation of compliance. Certification to PCI DSS is at the merchant's expense.
Merchant Levels and Validation Requirements
It is important to note that all merchants that store, process, or transmit cardholder data must comply with the PCI DSS regardless of the volume of transactions processed or the method in which they are processed. However, certification requirements vary by business and are contingent upon your "Merchant Level".
| Merchant Level Description & Validation Requirements | ||||
| Level | Level Description | Validation Requirements |
Validated By | Validation Due Date |
| 1 |
VISA & MasterCard
|
Annual On-site PCI Data Security Assessment
|
Qualified Security Assessor (QSA) or Internal Audit if signed by Officer of the company |
VISA September 30, 2004 MasterCard June 30, 2005
|
| Quarterly Network Scan | Approved Scanning Vendor (ASV) | |||
| 2 |
VISA & MasterCard |
Annual PCI Self Assessment Questionnaire
|
Merchant |
VISA September 30, 2007
MasterCard December 31, 2008 |
| Quarterly Network Scan | Approved Scanning Vendor (ASV) | |||
| 3 | VISA & MasterCard |
Annual PCI Self Assessment Questionnaire | Merchant |
VISA & MasterCard June 30, 2005
|
| Quarterly Network Scan | Approved Scanning Vendor (ASV) | |||
| 4 |
VISA & MasterCard
|
Annual PCI Self Assessment Questionnaire
|
Merchant | Acquirer's discretion |
| Quarterly Network Scan | Approved Scanning Vendor (ASV) | |||
Third Party Service Providers
All third party service providers that store, process, or transmit cardholder information on behalf of a merchant are required to comply with PCI DSS. In addition all service providers are required to validate their compliance to PCI DSS through the services of a QSA.
Third Party Payment Applications
Many merchants deploy third party payment applications that are tailored to their business needs to assist them in accepting credit card payments. For a merchant to be compliant with PCI DSS, the payment application(s) they deploy must meet the data security requirements that are applicable to it within PCI DSS.
VISA has developed the Payment Application Best Practices (PABP) to assist software vendors in creating secure payment applications that help ensure merchants comply with PCI DSS. A list of payment applications that have validated their compliance to PABP can be found on the VISA CISP website.
Moneris strongly recommends that merchants discuss PCI DSS and PABP with their vendors and refer to the list of validated payment applications when selecting a payment application.
Moneris and TrustWave
Moneris has partnered with TrustWave, to give our merchants access to the TrustKeeper® compliance portal – an online compliance portal to help you comply with PCI DSS. TrustWave is a leading Qualified Security Assessor, (www.trustwave.com) and an authorized QDSC for both VISA and MasterCard. To enroll with TrustWave, please click here: https://moneris.trustkeeper.net.
If you need assistance with TrustKeeper, or require more information on enrolment, please call TrustWave customer service at 1-800-363-1621.
PCI Security Standards Council
The five major credit card networks (American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International) announced the formation of an independent body to manage the ongoing evolution of the PCI DSS.
The PCI Security Standard Council will:
Helpful/Related Links
For more information on PCI DSS and the card association compliance programs please review the following websites: